FAQ - For Password Reset, why are challenge questions not good enough?

The following are typical challenge questions that you answer when setting up an account:

What was your first pet’s name?

What is your favorite food?

What is your mother’s maiden name?

In a paper, summarized at WWW 2015, the authors concluded that the secret questions are neither secure nor reliable enough to be used as standalone account recovery mechanism. They indicated that the questions/answers suffer from a fundamental flaw – that the answers were secure and difficult to remember or easy to remember and rarely both.

Challenge questions are also used sometimes as an additional layer of security to protect against suspicious logins. Here are some of their findings:

40% of English-speaking US users couldn’t recall their secret question answers when they needed to. These same users, meanwhile, could recall reset codes sent to them via SMS text message more than 80% of the time and via email nearly 75% of the time.

Some of the potentially safest questions—"What is your library card number?" and "What is your frequent flyer number?"—have only 22% and 9% recall rates, respectively.

For English-speaking users in the US the easier question, "What is your father’s middle name?" had a success rate of 76% while the potentially safer question "What is your first phone number?" had only a 55% success rate.

2FA tokens sent to users’ registered mobile devices (and devices themselves during registration of the account may be initially verified via a code sent to them over SMS) provide a much more secure and easy method to recover lost passwords and to validate suspicious logins.

The study concluded: “... site owners should use other methods of authentication, such as backup codes sent via SMS text or secondary email addresses, to authenticate their users and help them regain access to their accounts. These are both safer, and offer a better user experience.”